CN1670746B - Register control method - Google Patents

Abstract

The present invention relates to a database system for processing electronic personal information, medical information, official documents and other highly confidential data. In the prior art that mainly focuses on access control, the information subject (individual) cannot grasp the use status of personal information. In addition, in the prior art of encrypting stored data, a decryption key is required in any occasion where personal data is to be used, and personal data cannot be protected if it is decrypted once. The present invention constitutes a system that collects purchase history by anonymous ID, and requires a response from a membership card or a proxy server in the operation of associating the anonymous ID with the personal ID. In addition, the personal data itself does not need to be encrypted, but the personal ID and the anonymous ID are stored as keywords in ordinary sentences, and the anonymous ID is updated every time it is associated with the personal ID on the server side. At this time, the anonymized IDs of the collected keywords that become the accumulated purchase histories are also updated together.

Description

Roster Control Methods

technical field

The present invention relates to a database system for processing highly confidential data such as electronic personal information, medical information, and official documents.

Background technique

In the advice "OECD RECOMMENDATION CONCERNING AND GUIDELINES GOVERNING THE PROTECTION OF PRIVACY ANDTRANSBORDER FLOWS OF PERSONAL DATA" adopted by the OECD (Organization for Economic Co-operation and Development) in 1980, 8 principles related to privacy protection are disclosed. The 8 principles of the OECD set out the principles that personal information managers such as companies should abide by in terms of purpose clarification, usage restrictions, collection restrictions, data content, security protection, disclosure, personal participation, and responsibility. Each member country of the OECD has promoted the integrity of the system of domestic laws and guidelines in the form of following the 8 principles towards privacy protection and personal information protection. As a result, companies that manage personal information are forced to adapt to such a system. Various new businesses are generated within the enterprise, so human and financial costs need to be invested in this new business.

In addition, due to the emergence of computer networks, it is easy to exchange a large amount of personal information in electronic form, so once a personal information leakage accident occurs, the harm may spread to a wide range. Moreover, with the development of the Internet, the risk of litigation in the form of damages for information leakage accidents has further increased. In addition, as awareness of privacy continues to increase today, companies not only have legal responsibilities for the management of personal information, but also have moral responsibilities. The danger of unexpected personal information leakage will also be reduced by reputation. The causes of risk come to be known in such a form. That is, in order to avoid these risks, many companies have to increase the cost of properly managing personal information. A known personal information management system (hereinafter, referred to as prior art 1) is a system that supports business related to personal information management, and is particularly equipped with access based on usage commitments for electronic personal information control function. Conventional technology 1 is described in, for example, http://www-6.ibm.com/jp/software/tivoli/products/privacy.html.

Prior art 1 discloses a personal information management policy with purpose of use and collected data items, etc., and has the function of recording the commitment of providers of personal information such as consumers and users to the personal information management policy. In addition, it also has the function of restricting the access control of personal information within the enterprise to the appropriate users. Commitment-based access control is implemented based on the permissions of the programs executed by the computer. In prior art 1, there is also a function of recording which user accesses personal information for what purpose of use.

In addition, as a well-known method of anonymously managing so-called "sensitive information" "sensitive data" in personal information, there is a system for managing medical information (hereinafter referred to as prior art 2). For example, JP-A-2001-357130 describes the prior art 2. Prior art 2, separate encrypted personal identification information such as name, address, date of birth, and disease information such as genetic information other than personal identification information, encrypt them with different keywords, and decrypt them The keyword is stored on a recording medium such as an IC card. In this way, the holder of the IC card can control the use of personal identification information and disease information. In addition, the system assigns a management symbol for linking personal identification information and disease information. By using this regulatory symbol, anonymous disease information can be used without using personally identifiable information.

The protection laws and guidelines of each country based on the 8 principles of the OECD clearly record the purpose of use in the personal information management policy, and the event of obtaining a promise of use from the information provider is a necessary condition. Conventional Technology 1 realizes access control to accumulated personal information based on usage commitment, but has the problem of not being able to identify the usage status of personal information from information providers. Also in the case of entrusting the business of using personal information to the outside, the prior art 1 does not provide a method for the entrusting company to manage the information usage status of the entrusted company.

Conventional technology 2 has a problem of restricting the use of personal identification information that does not require disease information. In prior art 2, disease information does not need to be encrypted, but personal identification information must be stored encrypted in order to ensure anonymity. Therefore, decryption of personal identification information requires a decryption key stored in an IC card or the like. In addition, in prior art 2, the management code associated with the personal identification information and disease information is an ordinary sentence without encryption, and the management code given once will not be changed. Therefore, if the system user obtains the decrypted personal identification information once, he can freely associate disease information with the obtained personal identification information without worrying about anonymity.

These problems of the prior art 2 are caused by the structural principle itself that does not conform to the applicable field. For example, when conventional technology 2 is used in the management of customer information in a retail store, although it is considered that the purchase history is treated as disease information, at the customer window such as a call center, only personal identification is referred to in order to compare identities. It cannot be used for the purpose of the information.

Contents of the invention

In the present invention, there is a method of receiving from the client more than one anonymous management ID consisting of an anonymous ID generated by a HASH function based on a personal ID used to identify a specific individual as a key, and one or more personal data usage permission conditions. Data processing, next, judge whether the anonymous ID received above conflicts with the anonymous ID stored in the server, and execute the process of sending the judgment result to the client, and then execute the anonymous ID for management if there is no conflict. The process of storing the data in the database is followed by a process of replacing the anonymous ID in the database generated from the same personal ID as the received anonymous ID with the above-mentioned received anonymous ID.

Also, there is a method of receiving an anonymous ID from a client, and then using the anonymous ID as a key to accumulate electronic data that can identify a specific individual by comparing the personal data.

Furthermore, the above-mentioned personal data use permission conditions can control whether the above-mentioned stored personal ID can be received when the personal data management server makes a request to the client that sent the above-mentioned stored anonymous ID.

In this way, it is possible to configure a system that can manage personal data in an anonymous form, and the personal data management server requests permission from the client when the personal data is associated and used. Therefore, the problems of prior art 1 can be overcome.

In addition, since the present invention forms a mechanism to cut off the relationship between personal data by anonymous ID, it is not necessary to encrypt stored personal data in order to protect personal information. Thereby, the problem of prior art 2 can be overcome.

In the present invention, since the purchase history is collected through the anonymous ID, and the operation of associating the anonymous ID with the personal ID must have the response of the membership card or the proxy server, it is possible to record the type of list control outside the system. The actual use of personal data. In this way, the user can confirm whether the personal data is being used correctly in accordance with the use promise granted by the personal information management worker.

Furthermore, in the present invention, the main body of personal data is not encrypted but is stored in ordinary sentences, and the anonymous ID is updated every time it is associated with the personal ID on the server side, and becomes the collection keyword of the accumulated purchase history. The anonymous ID is also updated. For this purpose, it is not limited to list control, but also provides flexibility to freely use data using personal ID and anonymous ID as keywords within the scope of permitted access control, and at the same time, it is possible to prevent unauthorized use of personal data for other purposes. Effect.

Description of drawings

Fig. 1 is basic structure of the present invention;

Fig. 2 is the first embodiment of the present invention;

Fig. 3 is input data, internal data of the first embodiment;

Fig. 4 is the output data of the first embodiment;

Figure 5 is the process of logging the anonymous ID into the system with the membership card;

Figure 6 is the point calculation process using anonymous ID;

Fig. 7 is the generation process of the connection data used by the purchase propensity analysis method;

Fig. 8 is the second embodiment of the present invention;

Fig. 9 is the internal data used in the second embodiment;

Fig. 10 is an alternative scheme of the basic structure of the present invention;

Fig. 11 is the third embodiment of the present invention;

Fig. 12 is the internal data of the third embodiment of the present invention;

Fig. 13 shows the order of using the management card, updating the data corresponding to the anonymous ID and extracting the data from the personal database stored separately;

Fig. 14 is the sequence when the membership card acquires a copy of the anonymous ID from the server.

Detailed ways

The following are definitions of terms used in the following. The so-called personal information is information related to an individual, and a specific individual can be identified based on the name, date of birth, and other descriptions contained in the information. Personal information includes, for example, information that can be easily compared with other information, such as an address, and by which a specific individual can be identified. In addition, the so-called personal data refers to the part of personal information mainly in electronic form that constitutes a database that can be easily searched by a computer.

The system 100 of FIG. 1 shows the basic structure of the present invention. 101 is an anonymous ID sending unit, 102 is an anonymous ID, 103 is an anonymous ID database, 104 is a personal ID database, 105 is an anonymous ID issuing unit, 106 is an anonymous ID registration unit, 107 is an anonymous ID database for management, and 108 is an ID response Unit 109 is a data connection unit, 110 is a separate storage personal database, 111 is a use history database, and 112 is connected data.

In the individual ID database 104, IDs (identifiers) for specific individuals are stored. The anonymous ID issuing unit 105 issues IDs for management in an anonymous form based on the data stored in the personal ID database 104 . This anonymous ID has the property that it is difficult to infer a personal ID from this value. The anonymous IDs are stored in the management anonymous ID database 107 and the anonymous ID database 103 through the anonymous registration unit 106 . At this time, the anonymous ID registration unit 106 rewrites the stored data in the divided and stored individual database 110 using the stored anonymous ID. The anonymous ID sending unit 101 sends the anonymous ID 102 stored in the anonymous ID database 103 to the outside of the system 100 in response to a request from outside the system.

The divided storage personal database 110 is a database for managing personal data by personal ID and anonymous ID. The personal database 110 is divided and stored, and personal data such as purchase history is stored using the anonymous ID 102 sent as a key. In addition, personal data such as names and addresses are stored using the personal ID stored in the ID database 104 as a key. data. The data connection unit 109 connects the data with the anonymous ID as the key and the data with the personal ID as the key, and sends the connected data 113 to the outside of the system 100 . The operation of connecting data refers to, for example, connection calculation in RDB, which frequently occurs as a process called list control in a business process program that handles personal data. However, the data connection unit 109 does not connect data unless there is a definite response from the ID response unit 108 . The ID response unit 108 records the request issued by the data connection unit 109 and the corresponding response in the usage history database 111 .

The present invention employs a configuration that requires an exact response from the ID response unit 108 when associating a set of personal data stored in the divided storage personal database. That is, the use of personal data can be managed and recorded by the operation of the ID response unit 108 .

In addition, in the system 1000 of FIG. 10, it is a structure suitable only for the case where the user who uses an anonymous ID differs from the personal data manager who permits connection operation of data or control of a list. In the system 1000, the anonymous ID response unit 108 in the system 100 is replaced by the ID correspondence data response unit 1005, and the anonymous ID update history database 1004 is used instead of the management anonymous ID database 107. In the anonymous ID update history database 1004, the update history of the anonymous ID is stored. The anonymous ID communication unit 1002 acquires the latest anonymous ID from the anonymous ID synchronization unit 1001 and stores it in the replicated anonymous ID database 1003 . However, the anonymous ID communication unit 1002 is not limited to always being online, and the anonymous ID issuing unit 105 may update the anonymous ID even during the offline state. In the system 1000, when associating the sets of personal data stored in the divided and stored personal database, a configuration is adopted that requires an exact response from the ID-corresponding data response unit 1005 . That is, the use of personal data can be managed and recorded by the operation of the ID response unit 1005 . Furthermore, by using the anonymous ID synchronization unit 1001, it can be used flexibly. For example, the personal data manager can have the personal database 104 and the anonymous ID database 103, and other system users can have the duplicate anonymous ID database.

【Example 1】

Hereinafter, the present invention will be described in detail using embodiments. Regarding each embodiment, first, the structure of the system, internal data, input data, and output data will be shown, and then the processing sequence will be shown.

Fig. 2 is a first embodiment showing an application example of the retail store of the present invention. The system 200 is a membership management system using a membership card of a retail store, and is composed of a membership card 201 , a business data generation server 202 , a personal data usage program 204 , and an access control server 208 . The system 200 uses the membership card to collect purchase history, and outputs points 211 and DM (mail advertisement) address list 212 . The membership card as a client device is an IC card in which a memory and a register are mounted on an IC chip, and in principle it can be replaced by a PDA, a mobile phone, or the like.

The membership card 201 is composed of an anonymous ID sending unit 101 , an anonymous ID database 103 , a personal ID database 104 , an anonymous ID issuing unit 105 , an ID response unit 108 , and a usage history database 111 .

The data 300 is stored data in the personal ID database 104, and is composed of a field 305 representing the personal ID and a field representing the usage acceptance conditions. The stored data 321 of the field 305 is an integer value that does not overlap among members, and the record data 319 is stored in the personal ID database 104 when the membership card is issued. There are 0 or more fields indicating the usage acceptance conditions of the data 301, and in this embodiment, three fields such as 307, 308, and 309 correspond to each other. These fields respectively hold whether personal data can be used as a DM address, whether personal data can be used in analysis of a specific individual, and whether personal data can be used in statistical analysis of an unspecified individual. In the fields 307, 308, and 309, according to the use commitment provided by the member, the value is stored as OK when the use of personal data is allowed, and the value is NG when the use of personal data is not allowed.

The data 301 is the storage data of the anonymous ID database 103, and consists of a field 306 representing the anonymous ID and fields 307, 308, and 309 representing the conditions of use commitment. In the storage data 320 of the field 306, for the convenience of description, in order to facilitate the understanding that the data 320 is the value generated by the data 321, it is set as "A1001", but the actual data 320 is a HASH value with the data 321 as the key was generated. One of the typical HASH functions used to generate data 320 is MD5. When such a HASH function is used, the data 320 takes the value of a simulated random number, and it is difficult to guess the data 321 from the data 320 .

The business data generation server 202 is composed of an anonymous ID registration unit 106 , an anonymous ID database for management 107 , a data connection unit 109 , and a separate storage personal database 110 . However, since the anonymous ID registration unit 106 is built in the tamper-resistant device 203, the anonymous ID registration unit cannot be rewritten at will, or the internal processing of the anonymous ID registration unit 106 cannot be freely observed from the outside. Usually, the anonymous ID registration unit 106 is built into the tamper-resistant device 203 when it is manufactured.

The personal data usage program 204 is composed of a purchase record execution unit 205 , a point management unit 206 , and a purchase tendency analysis unit 207 . The purchase item ID 210 is an ID such as a JAN code attached to the item, and the store clerk inputs this from the recorder using a barcode and an FID tag. The system 200 adds an anonymous ID to the input purchased product ID 210 and records it. The anonymous ID is sent by the membership card connected to the recorder. The purchase tendency analysis unit 207 analyzes personal data including purchase history, and outputs a list of members who can expect purchase induction from the transmission of DM.

The access control server 208 has an access control unit 209, and controls access to the personal data usage program 204 to which the associated (roster set) personal data is added.

Data 302 is stored data in the ID database 107 for management, and one record data corresponds to one member. Each field consists of the same fields as Form 301. The anonymous IDs of members whose personal IDs are 1001, 2001, and 3001 are A1001, A2001, and A3001, respectively.

Data 303 and data 304 are stored data of the personal database 110 which is divided and stored. Each record of data 303 is personal data using personal ID 305 as a key, and is registered when a membership card is newly issued. Each record consists of fields 305, 310, 311, 312 representing a person's ID, name, address, age.

Each record of the data 304 is personal data with an anonymous ID 306 as a key, and is registered by the purchase record recording unit 205 . Each record is composed of a field 306 representing an anonymous ID, and fields 313, 314, and 315 representing a purchase date, a purchased product, and an amount as a purchase history. In the field 313, the date on which the record was created by the purchase record recording unit 205 is stored. In the field 314 is stored the classification of the purchased product determined from the JAN code provided by the barcode or the individual purchased product code provided by the RFID tag. In accordance with the principles of the present invention, field 314 may also be a JAN code or an individual purchase code. In field 315, the amount of the purchased item is stored. In addition, data for point management such as data 322 exists in the record of the configuration data 304 . Data 322 indicates that anonymous member A1001 used 1,500 yuan of points for discount on April 15, 2004.

Data 316 is stored data in the usage history database 111 . Each record of data 316 is composed of fields 306, 317, 318 indicating anonymous ID, date of use, purpose of use. The record of the data 316 is created and registered by the ID response unit 108 . Field 317 is the year, month and day when the ID response unit 108 responded to the personal data use request from the data connection unit 109 . Field 318 is a content in which ID response section 108 records the purpose of use notified from data connection section 109 .

Data 401 is the output data of the point management unit 206, which is printed as a receipt in a typical usage example. Each record is composed of fields 306, 404, 405, 406 representing anonymous ID, accumulated points, used points, and added points. Field 404 represents the reserved points after the commodity is purchased. A field 405 indicates the points used in the product purchase discount. A field 406 indicates newly added points due to purchase of goods.

The data 402 is the output data of the purchase tendency analysis unit 207, and is the print data of the addressee's name envelope of DM in a typical usage example. Each record consists of a field indicating personal data necessary for DM delivery processing and a field indicating analysis results. Fields 306, 313, and 314 represent personal ID, name, and address, respectively, and field 407 represents a predicted value of the response rate to the product guide for meat. There may be two or more fields indicating the analysis result of the field 407. As an example of use of the data 402, in the case of sending a DM of a product shopping guide for meat to a certain number of members, it is possible to preferentially select members who can be expected to induce a purchase action.

The above are the configuration, internal data, input data, and output data of the first embodiment. Next, the processing procedure will be described based on the sequence diagram. In each sequence diagram, a blacked-out triangle at an end point indicates a procedure call, for example, processing 701 is. Indicates that in the corresponding procedure call, the caller (starting side) does not execute the following processing until the processing ends. At the end point, a stick-shaped arrow line indicates an asynchronous type of communication, such as processing 714 . Indicates that processing is executed in parallel in asynchronous communication, and the sending side (starting side) executes the following processing without waiting for the end of the communication processing.

The process generated across membership card 201 and business data generation server 202 is started after mutual authentication of membership card 201 and business data server 202, and in addition, during processing, the communication path of membership card 201 and business data generation server 202 is controlled by physical , Encrypted exact security mechanism for protection. Known techniques are used in the unit of mutual authentication, communication path protection.

Sequence 500 shows the flow of the process of registering an anonymous ID in the system 200 . The registration process of the anonymous ID is executed when the membership card is newly issued and when the ID response unit 108 responds with the personal ID associated with the anonymous ID. When the membership card is connected to the card reader, and mutual authentication and communication path establishment are completed, then in process 501, the anonymous ID registration unit 106 generates a random positive integer value r, and requests the anonymous ID issuing unit 105 to issue an anonymous ID together with r. ID.

Next, in process 502 , anonymous ID issuing unit 105 generates m pieces of record data consisting of fields 306 , 307 , 308 , and 309 . In the fields 307, 308, the value of the record data 319 is stored, and the value is the same for all records. The anonymous ID value of the field 306 is M different HASH values obtained according to the HASH function h(i+r+m) such as MD5. Here, i is the personal ID of the data 321, and m is a continuous integer ranging from 1 to M (m=1, 2, . . . , M-1). M is an arbitrary parameter that takes an integer greater than 1 given when the card is issued, and it is predetermined by the conditions promised by the member when the membership card is issued and the usage method of the purchase performance data. In this embodiment, M=1 for point management, but M≧2 may be set when the actual purchase record data is used only for billing purposes, for example.

In this way, since the key of the HASH function has a random value r, and the anonymous ID issuing unit 105 is stored in a tamper-resistant device, even if a small store using the system 200 determines a personal ID, it can prevent Anonymous IDs are speculated from personal IDs.

Once processing 502 ends, anonymous ID issuing unit 105 sends the record data newly generated in processing 502 and data 320 of anonymous IDs issued in the past to anonymous ID registering unit 106 as the return value of the procedure call of processing 501 . When there is no anonymous ID issued in the past and the data 320 is empty, a code indicating a defect is transmitted instead of the data 320 .

Then, the anonymous ID registration unit 106 judges whether or not the anonymous ID for which the login request has been registered collides with the anonymous ID registered in 107 , and restarts from the process 501 when a conflict is detected. When the predetermined number of times has been reached or more, the system processes an exception and ends the sequence 500 . However, in a HASH function such as the irreversible one-way function MD5 that includes initial value sensitivity in the calculation method, the possibility of a HASH function collision is extremely rare, so it can actually be expected to fully function in the process of this embodiment. If no conflict is detected, the process proceeds to step 503 , and the anonymous ID registration unit 106 is notified of the fact that the ID generated by the anonymous ID issuing unit 105 has been received.

In process 504 , anonymous ID issuing unit 105 adds the generated record data to anonymous ID database 103 . Record data stored in the anonymous ID database 103 may also be deleted as necessary.

Next, proceeding to processing 505 , the anonymous ID registration unit 106 adds the received record data to the management anonymous ID database 107 as a return value of the processing 501 .

In process 506, anonymous ID registration unit 106 temporarily enters a waiting state. When the next membership card is linked, process 501 is executed. When more than T seconds have elapsed since entering the waiting state, or when there are less than K·M new anonymous IDs that have been received from the membership card but not yet registered, process 507 is executed. Here, K is an arbitrary parameter taking an integer greater than or equal to 1, and when it is desired to process anonymous IDs of a plurality of membership cards at a time in process 507, K is designated as the number of desired membership cards. T is the timeout parameter, specifying a real value greater than 0 in seconds.

In process 507, the anonymous ID registration unit 106 retrieves the previously issued anonymous ID received in process 503 from the divided storage individual database, and replaces it with a newly generated anonymous ID. In the case of M ≥ 2, a new anonymous ID is randomly selected for each record of the replacement object.

The above is the processing of the sequence 500 .

Sequence 600 shows the processing flow of the purchase record using the anonymous ID and the subsequent update of points. The purchase record recording unit 205 and the point management unit 206 are programs called from the recorder, and in a typical example, the sequence 600 is started after the total is calculated by the recorder. Hereinafter, it is assumed that the membership card is connected to the system 200 through the recorder 606 outside the system 200, and the recorder 606 temporarily stores the product ID being settled.

In process 601 , first, purchase record recording unit 205 requests an anonymous ID from member card 201 . Next, the anonymous ID sending unit 101 in the membership card 201 refers to the anonymous ID database 103 to randomly select one of the m anonymous IDs and send it to the recorder 606 .

In process 602 , the item ID temporarily held by recorder 606 and the anonymous ID received in process 601 are sent to purchase record recording section 205 .

In process 603 , purchase record recording unit 205 forms new record data in the form of data 304 and stores it in divided storage personal database 107 .

When the recording of the actual purchase results is completed, the recorder 606 transmits the anonymous ID received in the process 601 to the point management unit 206 through the process 604, and starts the point calculation process.

In process 605, the point management section 206 retrieves the data 304 stored in the divided storage personal database 110 with the received anonymous ID as a key, and calculates accumulated points. There are various points calculation methods, but, for example, the accumulated points that can be used are calculated based on the total of points used in the past and the total amount of purchases in the last year. Once the processing 605 is finished, the result recorder 606 called as the procedure of the processing 604 acquires accumulated points.

In process 607, the recorder 606 generates data 401 based on the accumulated points, commodity data in the budget, and whether the points are used or not, and outputs the data to the screen of the receipt and recorder.

The above is the processing of the sequence 600 .

Sequence 700 shows the processing flow when the personal ID managed data 303 and the anonymous ID managed data 304 are used in combination, and is started when the purchase tendency analysis unit 207 is used to generate a DM address list. In sequence 7700, if the purchase tendency analysis unit 207 requests personal data for analysis, then the member who has obtained the use commitment is determined through the anonymous ID, and the data connection unit enters the waiting state for connecting the membership card. When the membership card with the anonymous ID is connected in this state, the process of specifying the personal ID starts, and the purchase tendency analysis unit 207 obtains data for analysis. Details of sequence 700 are described below.

First, the purchase tendency analysis unit 207 requests analysis data in process 701 . Specifically, the purchase tendency analysis unit 207 provides the access control unit 209 in the business data generation server with the data name (table name, field name) required for DM transmission list generation as a parameter, and calls the process 701 . The data names and field names of the request data 303 and 304 are requested in DM transmission list generation.

Then, proceeding to processing 702, the access control unit 209 determines the purpose of use of the personal data from the type of program that requested the analysis data. The request program is the purchase tendency analysis unit 207, and it is determined that the purpose of use = DM transmission. In addition, using the purpose of use determined here, the access control unit 209 determines whether the requested data name can also be used, and in the case of refusal, sends a dummy value to the purchase tendency analysis unit 207 as a return value of the process 701 . If allowed, a data connection request is sent by processing 703, and a true value is returned to the purchase tendency analysis unit 207 as a return value.

In processing 703, the data connection unit 109 enters a waiting state for communicating with the member card. Processes 704, 705, and 706 are sequentially executed for all membership cards connected within X seconds after entering the waiting state from the data connection unit 109 . Hereinafter, for the convenience of description, the processing flow of a membership card will be described.

If the membership card is connected with the system 200 and the communication path is established, then start processing 704, the data connection unit 109 at first receives the anonymous ID from the ID response unit 108, and refers to the data 302 stored in the management anonymous ID database 107 to carry out the use commitment judgment. When the DM transmission is OK, it proceeds to process 705, and when it is NG, the data connection section 109 enters the waiting state again.

In processing 705, the data connection unit 109 transmits the purpose of use to the ID response unit 108, and requests a personal ID.

In process 706, the ID response unit 108 uses the use commitment stored in the anonymous ID database 106 to determine whether the received purpose of use is permitted, and then the ID response unit 108 transmits a request for personal ID to the anonymous ID issuing unit 105. fact. Next, a new record is added to the data 316 stored in the usage history database 111 . Next, anonymous ID issuing unit 105 requests anonymous ID registration unit 106 to update the anonymous ID.

From processing 707 to 711 , the same processing as from processing 501 to 505 in procedure 500 is executed, and a new anonymous ID is registered in the divided storage personal database 110 .

In process 712, data connection unit 109 transmits the personal ID requested in process 705 and the M anonymous IDs used at the time of process 705, and then data connection unit 109 enters a waiting state for changing divided personal database 716.

In process 713 , the data connection unit 109 uses the personal ID and anonymity ID received in process 712 to generate analysis data. A record having the personal ID stored in the data 303 of the divided storage personal database is extracted. In addition, the records with the anonymous ID stored in the data 304 are extracted, and the anonymous ID of each record is replaced with the corresponding personal ID.

In process 714 , data connection section 109 asynchronously transmits the analysis data generated in process 713 to purchase tendency analysis section 207 .

In processing 715, 716, the same processing as processing 506, 507 of sequence 500 is performed, and the anonymous ID stored in the divided storage personal database 109 is updated.

On the other hand, the purchase tendency analysis unit 207 starts the analysis process when the predetermined data volume of the analysis data is received in the process 714 , and outputs the data 402 as the analysis result in the process 718 .

In this way, the present invention is characterized in that the use history of personal data remains in the use history database 111. In this embodiment, the membership card can be read by a terminal in the store and a card reader connected to a PC, and can be referred to. .

In addition, the personal data usage program 204 in FIG. 2 is typically stored in the business data server 202 and a computer connected through a network.

Here, FIG. 2 demonstrates using functional blocks, but processing using these functional blocks is realized by hardware, software, or a combination thereof.

That is, the computer, server, card, etc. in the figure have at least any CPU, memory, and any one of other LSIs as hardware, for example, the purchase record recording unit 205, the point management unit 206, the purchase tendency The programs of the analysis unit 207 and the like are executed by the CPU, whereby processing is realized. In addition, the personal data usage program 204 may be stored in the same computer as the business data generation server 202 .

[Example 2]

Next, a second embodiment of the present invention shown in FIG. 8 will be described. The system 800 in FIG. 8 is a configuration in which anonymous ID processing and usage history processing are proxied by a system outside the membership card. Membership card 201 is only made up of personal ID database 104, and ID management proxy server 801 is made up of anonymous ID sending unit 101, anonymous ID database 103, anonymous ID issuing unit 105, ID answering unit 108, and installed in ID answering unit 108. Valid ID judging unit 802 . The use history management server is composed of a use history database 111 and a use history output unit 803, and is connected to a use history display terminal 804. The business data generation server 202 and the personal data usage program are the same as those of the system 200 .

Data 900 is data stored in the anonymous database 105, and is the same as the data 301 except for a field 904 indicating an expiration date. In the field value of the validity period, when the anonymous ID issuing unit 105 generates the data 900, a value specified by the member or a default value at the time of issuing the membership card is provided. Data 901 is data stored in the anonymous management ID database 107 and consists of the same fields as 900 . The other data are the same as those of the system 200 .

Since the system 800 entrusts the anonymous ID issuance process and the use history record process to the proxy server, it is possible to calculate points and create a DM address list even if the membership card is not connected to the system. In addition, valid ID judging unit 802 has a function of judging the validity period and number of valid uses of anonymous ID, which can prevent the personal data of members who have not been to the store from continuing to use arbitrarily.

The systems 200 and 800 in the above embodiments are based on the premise of being applicable to the membership card use system in the small store, but it is also possible to load memory and processors on the IC chip of the membership card. , mobile phones, etc. to replace. Therefore, the present invention is not limited to the membership card usage system for small stores. In addition, the business data generating server 202 and the personal data usage program 204 may also be connected via a network, and therefore, the present invention is also applicable to commissioning of personal data usage business via a network. For example, the business data generating server 200 in the system 200 or 800 is configured in the entrusting company, and the personal data usage program 204 is installed in the entrusting company, so that the entrusting company can monitor and control the personal data usage of the entrusting company.

In addition, the personal data usage program 204 in FIG. 8 is typically stored in a computer connected to the business data server 202 via a network.

Here, FIG. 8 demonstrates using functional blocks, but processing using these functional blocks can also be realized by hardware, software, or a combination thereof.

That is to say, the computer, server, card, etc. in the figure have at least any CPU, memory, and any other LSI as hardware, such as purchase record recording unit 205, point management unit 206, Programs such as the purchase tendency analysis unit 207 are executed by the CPU, thereby realizing processing. In addition, the personal data usage program 204 may be stored in the same computer as the business data generation server 202 .

[Example 3]

Next, a third embodiment of the present invention shown in FIG. 11 will be described. The system 1100 includes a membership card 1101 , a management card 1102 , a business data generation server 1106 , an access control server 208 , and a personal data usage program 204 . This is an example of a configuration in which a consumer holds a membership card 1101 and a personal data manager holds a management card 1102 in a retail store. Consumers use the membership card 1101 to accumulate points or use points when purchasing commodities. When a customer accumulates and uses points, the purchase record recording unit and the point management unit in the personal data usage program 204 process only the data managed by the anonymous ID.

In addition, the personal data usage program 204 in FIG. 11 is typically stored in a computer connected to the business data server 1106 via a network.

Here, FIG. 11 demonstrates using functional blocks, but processing using these functional blocks can also be realized by hardware, software, or a combination thereof.

That is to say, the computer, server, card, etc. in the figure have at least any CPU, memory, and any other LSI as hardware, such as purchase record recording unit 205, point management unit 206, Programs such as the purchase tendency analysis unit 207 are executed by the CPU to realize processing. In addition, the personal data usage program 204 may be stored in the same computer as the business data generation server 1106 .

Although the purchase tendency analysis unit 207 uses data such as the data managed by the anonymous ID and the name and address managed by the personal ID, these data can be additionally associated later only when there is an appropriate response from the management card 1102. use.

Membership card 1101 is composed of copying anonymous ID database 1003 and anonymous ID communication unit 1002 . The management card 103 is composed of an ID data response unit 1005 , and the personal ID database 104 and the anonymous ID database 103 are the same as those of the system 200 . The business data generation server 1106 is composed of an anonymous ID synchronization unit 1001, an anonymous ID update history database 1004, an anonymous ID registration unit 106, an anonymous ID database 107 for management, a data connection unit 109, and a separate storage personal database 110 stored in the anti-tampering device. composition.

The anonymous ID update history database 1004 can only be accessed by the holder of the management card, so it can also be encrypted with an encryption key stored in the management card, and then installed outside the tamper-resistant device.

The configuration of the anonymous ID registration unit 106 , the anonymous ID database for management 107 , the data connection unit 109 , the divided storage personal database 110 , the access control server 208 , and the personal data use program 204 is the same as that of the system 200 .

Figure 12 shows the data structures used in the system 1100. Table 1200 is stored in anonymous ID update history database 1004 . The record data of each row represents the history of one update, field 1201 is the anonymous ID before update, and field 1202 is the anonymous ID after update. In the illustrated example, it is shown that A1001 is an anonymous ID issued first for the personal ID "1001", and A1002 is an anonymous ID issued next. The order in which records are listed is the order in which updates occur.

In this embodiment, if the table 1200 exists, the overall processing can be performed, but if the number of records in the table 1200 is very large, the processing efficiency of the anonymous ID synchronization unit 1001 becomes a problem in practical use. One of the implementation methods to avoid this is to read the table 1200 from the database into the synchronization ID synchronization unit 1001 in advance, and expand it on the memory with the data structure shown in 1203 . The data included in the table is divided and held in the high-speed access area 1204 and the continuous access area 1205 . In a typical example, the high-speed access area 1204 provides data structures that are efficient in retrieval time, such as binary trees and HASH tables, and the sequential access area 1205 provides data structures that are efficient in memory consumption, such as linear lists and arrays.

The sequence 1300 shown in FIG. 13 shows: the data 303 managed by the individual ID in the personal database 110 stored separately and the data 304 managed by the anonymous ID are connected, and the connection data is used by the purchase tendency analysis unit 207. The process of processing.

First, the purchase tendency analysis unit 207 requests analysis data at process 701 and starts the sequence 1300 . Processes 701 , 702 , 703 , and 704 are the same as those in sequence 700 .

Following the process 704 , the data link unit 109 requests the management card 1102 for ID correspondence data in the process 1301 . The management card 1102 that has received the request also requests the anonymous ID registration unit 106 to update the anonymous ID in process 1302 . The anonymous ID registration unit 106 generates a random number in process 1303 and transmits the random number to the management card in process 1304 . The management card 1102 executes the same process as the process 708 in the process 1305, and issues an anonymous ID using the random number and the personal ID as keys. Next, the management card 1102 sends the issued anonymous ID to the anonymous ID registration unit 106 in processing 1306, and the anonymous ID management unit 106 registers the received anonymous ID in the anonymous ID update history if there is no overlap with the existing anonymous ID. database 1004. The management card 1102 stores the issued anonymous ID in the anonymous ID database 103 in the processing 1309 upon receiving notification from the anonymous ID registration unit 106 that the update has been completed in the processing 1308 .

The updating process of the above anonymous ID ends, and the management card 1102 returns the corresponding data of the anonymous ID and the personal ID before updating to the data combination unit 109 in process 1310 . The ID-corresponding data is divided into an array, or one piece of bit string, etc., in a data format that can be handled by the management card, and stores the data of the anonymous ID and the anonymous ID before updating. Next, the data connection unit 109 executes the same process 713 as the procedure 700, and extracts data for analysis.

Next, the data connection unit 109 requests the anonymous ID registration unit to update the divided storage personal database in processing 1311 , and the anonymous ID registration unit 106 executes the same processing 716 as in the sequence 700 , and then the system moves to processing 1312 .

However, according to the balance between the processing capability of the management card 1102 and the processing capability of the partitioned storage personal database 110, the update request is sent 716 first for processing anyway, and collecting several update requests and delaying execution can sometimes effectively save time. In principle, the present invention can easily cope with such processing. In this case, in process 713 , referring to the update history in the anonymous ID anonymous update database 1004 , ID correspondence data is generated for each of past anonymous IDs corresponding to a certain person ID, and connection processing is performed. In addition, in process 716, until the reception request of the number predetermined by a system user is received, it will move to next process 1312 anyway. When this number of times is reached, the history database is updated with reference to the anonymous ID, and the anonymous ID that needs to be updated in the divided storage personal database 110 is checked, and the process proceeds to processing 1312 after executing the ID update process.

In process 1312, data connection section 109 transmits the data extracted in process 713 to the access control server 208 side. Next, the access control server 208 transmits the connection data received by the miscellaneous purchase tendency analysis unit 207 as the analysis data requested in the process 701 . Next, the purchase tendency analysis unit 207 executes the same processes 717 and 718 as in the procedure 700, and outputs the analysis results.

Next, FIG. 14 shows the procedure in the case of using a membership card. Sequence 1400 shows the process for the member card 1101 to obtain the anonymous ID of the response recorder 606 when the record of purchase is registered using the same anonymous ID as in the sequence 600 . In process 1401, the recorder requests an anonymous ID from the anonymous ID synchronization unit 1001, and then the anonymous ID synchronization unit 1001 obtains the anonymous ID stored in the membership card 1101 in processes 1402 and 1403. In process 1404, the anonymous ID synchronization unit 1001 confirms that the table 1200 in the anonymous ID update history database 1004 is expanded to the data 1203 on the memory. In the case of confirming the form 1200 directly, first, the anonymous ID obtained in the process 1403 is retrieved as a key record and checked. In the case of using the data 1203, it is first confirmed whether the high-speed access area matches the old anonymous ID, and then the sequential access area is confirmed, thereby realizing processing.

If there is a new anonymous ID in the update history ID database 1004, then in processing 1405, 1406, the new anonymous ID in the membership card 1101 is overwritten and stored in the replicated anonymous ID database 1003. Next, the anonymous ID synchronizing unit 1001 removes unnecessary historical data from the anonymous ID update historical data in process 1408, and returns the latest anonymous ID to the recorder in process 1049.

The above is the third embodiment of the present invention. In this way, the data connection control described in Embodiments 1 and 2 is facilitated by using the anonymous ID synchronization unit 1001 and using a management card with data connection rights and a membership card with anonymous ID copy rights.

In addition, in the third embodiment of the present invention, by employing a configuration in which all ID correspondence data is encrypted in the system 1100 and held in the business data server 1106, the same effect can be easily obtained. In this case, the management card 1102 has the public key without the personal ID database 104, anonymous ID database 103. The ID-corresponding data response unit 1005 in the management card responds with a common key instead of the ID-corresponding data, so that the business data generating server 1106 has an anonymous ID issuing unit 105 . In the case of adopting such a configuration, the encryption key is handed over in processing 1302, and the anonymous ID registration unit 106 decrypts the ID-corresponding data in processing 1303, and then a series of processing is performed. In process 1307, anonymous ID registration unit 106 configures the updated anonymous ID as new ID-corresponding data, encrypts it with a common key, and stores it. In processing 1310, the ID corresponding data before updating is responded.

It can be applied to database systems that handle highly confidential data such as digitized personal information, medical information, and official documents.

Claims (19)

1. register control method; It is used on the personal data management server, having connected the system of client terminal device; Above-mentioned personal data management server has the database that is used to store personal data; Above-mentioned personal data be with individual ID as the personal data of key word with the personal data of anonymous ID as key word, this register control method is characterised in that

Client terminal device begins the processing that is connected with above-mentioned personal data management server,

Carry out the processing that visit is used to discern unique individual's individual ID, this individual ID is stored in the storage area in the above-mentioned client terminal device,

Execution generates the processing of at least more than one anonymous ID through the HASH function that is key word with above-mentioned individual ID,

Execution sends to the processing in the above-mentioned personal data management server with the anonymity management with data; This anonymity management is made up of above-mentioned anonymous ID and more than one personal data usage license condition with data; Said personal data usage license condition is for the client terminal device that has sent anonymous ID, obtains under the situation of request receiving individual ID from the personal data management server; Whether control provides the condition that is stored in the individual ID in the above-mentioned storage area

Execution receives the processing of above-mentioned anonymous management with the login result of data from above-mentioned personal data management server,

Under the situation of login failure, carry out above-mentioned anonymous ID generation once more and handle and the transmission processing of anonymous management with data,

Under the login case of successful, carry out above-mentioned anonymous management with the processing in the storage area of data storage in client terminal device.

2. register control method according to claim 1 is characterized in that,

Before above-mentioned client terminal device sends to the personal data management server with individual ID, carry out through above-mentioned anonymous ID and generate the processing that processing generates new anonymous ID,

Carry out that above-mentioned new anonymous ID is sent to the processing in the personal data management server,

Carry out the processing of affirmation by the login result of the new anonymous ID of above-mentioned personal data management server generation.

3. register control method according to claim 1 is characterized in that,

Corresponding to the client identification request that receives from above-mentioned personal data management server, above-mentioned client terminal device sends and is stored in the anonymous ID in the above-mentioned storage area.

4. register control method that uses the personal data management server; Above-mentioned personal data management server has the database that is used to store personal data; Above-mentioned personal data are by forming as the personal data of key word as the personal data of key word with anonymous ID with individual ID; This register control method is characterised in that

Execution receives the processing of more than one anonymous management with data from client terminal device; Data are used in this anonymity management; Anonymous ID that is generated by the HASH function that with the individual ID that is used to discern the unique individual is key word and the personal data usage license condition more than 1 are formed; Above-mentioned personal data usage license condition; Be that whether control can accept the condition of the individual ID of above-mentioned storage when the personal data management server sends individual ID and obtains request the client terminal device of the anonymous ID that sent above-mentioned storage

Carry out and judge that whether the above-mentioned anonymous ID that receives conflicts with the anonymous ID of server stores, and result of determination is sent to the processing in the client terminal device,

Under the situation that is not having conflict, carry out the anonymity management with the processing of data storage in the database,

Carry out with the processing of the above-mentioned anonymous ID replacement that receives by the anonymous ID in the database of the individual ID generation identical with the above-mentioned anonymous ID that receives.

5. register control method according to claim 4 is characterized in that,

With the processing of data storage in the above-mentioned database, is to have carried out after with data having received plural anonymous management anonymity management.

6. according to claim 4 or 5 described register control methods, it is characterized in that,

Receive anonymous ID from client terminal device, then anonymous ID is accumulated through contrasting the electronic data that can discern the unique individual with personal data as key word.

7. according to claim 4 or 5 described register control methods, it is characterized in that,

Carrying out each unit of handling all is accommodated in the tamper resistant device.

8. according to claim 1 or 4 described register control methods, it is characterized in that,

The valid period that in above-mentioned personal data usage license condition, includes the anonymous ID of generation.

9. client terminal device; It links to each other with the personal data management server; Above-mentioned personal data management server has the database that is used to store personal data; Above-mentioned personal data be with individual ID as the personal data of key word with the personal data of anonymous ID as key word, this client terminal device is characterised in that

Also have:

Storage part with the individual ID that is used to discern the unique individual; With

Arithmetic processing section, it be according to being stored in individual ID in the above-mentioned storage part as the HASH function of input value, be stored in this storage part after generating more than one anonymous ID;

In above-mentioned storage part, there is anonymous management to use data; This anonymity management has the relevant personal data usage license condition of personal data that above-mentioned anonymous ID and at least one and personal data management server have with data; Said personal data usage license condition; Be for the client terminal device that has sent anonymous ID, obtain under the situation of request receiving individual ID from the personal data management server whether control provides the condition that is stored in the individual ID in the above-mentioned storage part;

Has following function: under situation about receiving from the transmission request of the individual ID of above-mentioned personal data management server; Before above-mentioned individual ID is sent to above-mentioned personal data management server; After generating new anonymous ID by above-mentioned arithmetic processing section; Send to above-mentioned personal data management server, and this new anonymous ID is stored in the above-mentioned storage part.

10. register control method; It is used on the personal data management server, having connected the system of client terminal device; Above-mentioned personal data management server has the database that is used to store personal data; Above-mentioned personal data be with individual ID as the personal data of key word with the personal data of anonymous ID as key word, this register control method is characterised in that

Client terminal device begins the processing that is connected with above-mentioned personal data management server;

Carry out visit and be used to discern unique individual's individual ID and the processing of anonymous ID, above-mentioned individual ID and anonymous ID are stored in the storage area in the above-mentioned client terminal device;

Generate the ID corresponding data of the corresponding relation of above-mentioned individual ID of expression and above-mentioned anonymous ID;

Execution generates the processing of at least more than one new anonymous ID according to the HASH function of above-mentioned individual ID as key word, and execution sends to the processing in the above-mentioned personal data management server with above-mentioned new anonymous ID;

Execution receives the login result's of above-mentioned anonymous ID newly processing from above-mentioned personal data management server;

Under the situation of login failure, carry out the generation of above-mentioned anonymous ID newly once more and handle and the transmission processing of anonymous management with data;

Under the login case of successful, above-mentioned new anonymous ID is stored in the storage area in the client terminal device;

Execution sends to the processing in the above-mentioned personal data management server with above-mentioned ID corresponding data.

11. register control method; It is used on the personal data management server, having connected the system of client terminal device; Above-mentioned personal data management server has the database that is used to store personal data; Above-mentioned personal data be with individual ID as the personal data of key word with the personal data of anonymous ID as key word, this register control method is characterised in that

Client terminal device begins the processing that is connected with above-mentioned personal data management server,

Execution receives the processing of anonymous ID more than from client terminal device, this anonymity ID is to be that the HASH function of key word generates according to being used to discern the individual ID that is in the unique individual in the above-mentioned client terminal device;

Carry out and judge that whether the above-mentioned new anonymous ID that receives conflicts with the anonymous ID of server stores, and result of determination is sent to the processing in the client terminal device;

Under the situation that does not have conflict, carry out and store the above-mentioned new anonymous ID that receives in the anonymous ID renewal historical data base processing;

The ID corresponding data of anonymous ID before from above-mentioned client terminal device, receiving above-mentioned individual ID and upgrading.

12. register control method; It is used on the personal data management server, having connected the system of client terminal device; Above-mentioned personal data management server has the database that is used to store personal data; Above-mentioned personal data be with individual ID as the personal data of key word with the personal data of anonymous ID as key word, this register control method is characterised in that

Client terminal device begins the processing that is connected with above-mentioned personal data management server;

Execution receives the processing of anonymous ID more than from client terminal device, this anonymity ID is to be that the HASH function of key word generates according to being used to discern the individual ID that is in the unique individual in the above-mentioned client terminal device;

Carry out and judge that whether the above-mentioned new anonymous ID that receives conflicts with the anonymous ID of server stores, and result of determination is sent to the processing in the client terminal device;

Under the situation that does not have conflict, carry out and store the above-mentioned anonymous ID that receives in the anonymous ID renewal historical data base processing;

The ID corresponding data of anonymous ID before from above-mentioned client terminal device, receiving above-mentioned individual ID and upgrading;

Carry out the processing that is present in the preceding anonymous ID of the above-mentioned renewal of the database that is used for storing above-mentioned personal data with above-mentioned new anonymous ID replacement.

13. according to claim 11 or 12 described register control methods, it is characterized in that,

Be stored in above-mentioned anonymous ID and upgrade the data in the historical data base, have by the old anonymous ID before upgrading and the record data of group of the new anonymous ID after upgrading forming.

14. register control method; It is used on the personal data management server, having connected the system of client terminal device; Above-mentioned personal data management server has database and the anonymous ID renewal historical data base that is used to store personal data; Above-mentioned personal data be with individual ID as the personal data of key word with the personal data of anonymous ID as key word, this register control method is characterised in that

Client terminal device begins the processing that is connected with above-mentioned personal data management server;

From above-mentioned client terminal device, receive anonymous ID;

Access stored is upgraded more new range in the historical data base, the above-mentioned anonymous ID that receives at above-mentioned anonymous ID, takes out up-to-date anonymous ID;

Under the above-mentioned anonymous ID that the receives situation older, up-to-date anonymous ID is sent in the above-mentioned client terminal device than up-to-date anonymous ID;

Upgrade in the above-mentioned more new range the historical data base from being stored in above-mentioned anonymous ID, remove than up-to-date anonymous ID old and with the anonymous ID historical data associated that is not present in the database that is used for storing above-mentioned personal data.

15. a register control method is characterized in that,

The personal data management server has the database that is used to store personal data, and above-mentioned personal data have with individual ID as the personal data of key word with the personal data of anonymous ID as key word,

Begun with individual ID as the personal data of key word with under at above-mentioned personal data management server with the situation of anonymous ID as the connection processing of the personal data of key word,

Above-mentioned personal data management server is carried out the processing that from client terminal device, receives anonymous ID more than, and this anonymity ID is to be that the HASH function of key word generates according to being used to discern the individual ID that is in the unique individual in the above-mentioned client terminal device,

Carry out and judge that whether the above-mentioned new anonymous ID that receives conflicts with the anonymous ID of server stores, and result of determination is sent to the processing in the client terminal device,

Under the situation that does not have conflict, carry out and store the above-mentioned new anonymous ID that receives in the anonymous ID renewal historical data base processing,

The ID corresponding data of anonymous ID before from above-mentioned client terminal device, receiving above-mentioned individual ID and upgrading,

Utilize this ID corresponding data of representing the corresponding relation of individual ID and anonymous ID to be connected with individual ID as the personal data of key word with the personal data of anonymous ID as key word.

16. a register control method is characterized in that,

The personal data management server has the database that is used to store personal data, and above-mentioned personal data have with individual ID as the personal data of key word with the personal data of anonymous ID as key word,

Begun with individual ID as the personal data of key word with under at above-mentioned personal data management server with the situation of anonymous ID as the connection processing of the personal data of key word,

Above-mentioned personal data management server is carried out the processing that from client terminal device, receives anonymous ID more than, and this anonymity ID is to be that the HASH function of key word generates according to being used to discern the individual ID that is in the unique individual in the above-mentioned client terminal device,

Carry out and judge that whether the above-mentioned new anonymous ID that receives conflicts with the anonymous ID of server stores, and result of determination is sent to the processing in the client terminal device,

Under the situation that does not have conflict, carry out and store the above-mentioned anonymous ID that receives in the anonymous ID renewal historical data base processing,

The ID corresponding data of anonymous ID before from above-mentioned client terminal device, receiving above-mentioned individual ID and upgrading,

Carry out the processing that is present in the preceding anonymous ID of the above-mentioned renewal of the database that is used for storing above-mentioned personal data with above-mentioned new anonymous ID replacement,

Utilize this ID corresponding data of representing the corresponding relation of individual ID and anonymous ID to be connected with individual ID as the personal data of key word with the personal data of anonymous ID as key word.

17. register control method according to claim 16 is characterized in that,

Anonymous ID update processing in the above-mentioned database, locking data makes can not visit these data in renewal process, and each of the plural anonymous ID before between lockup period, will upgrading replaces to new anonymous ID.

18. a register control method is characterized in that,

The personal data management server has the database that is used to store personal data; These personal data have with individual ID as the personal data of key word, with anonymous ID as the personal data of key word with will represent the ID corresponding data data encrypted of the corresponding relation of individual ID and anonymous ID

Under the situation that above-mentioned personal data management server begins with client terminal device is connected; Receive the encryption key in the client terminal device, the expression individual ID that utilizes the above-mentioned encryption key that receives to decipher to be stored in the server with upgrade before the ID corresponding data of corresponding relation of anonymous ID.

19. a data management system is characterized in that,

Have:

The personal data management server, it has the database that is used to store personal data, and above-mentioned personal data are as the personal data of key word with the personal data of anonymous ID as key word with individual ID; And

The client terminal device that on said personal data management server, connects, below carrying out, it handles:

The processing that beginning is connected with above-mentioned personal data management server,

Carry out the processing that visit is used to discern unique individual's individual ID, this individual ID is stored in the storage area in the above-mentioned client terminal device,

Execution generates the processing of at least more than one anonymous ID through the HASH function that is key word with above-mentioned individual ID,

Execution sends to the processing in the above-mentioned personal data management server with the anonymity management with data; This anonymity management is made up of above-mentioned anonymous ID and more than one personal data usage license condition with data; Said personal data usage license condition is for the client terminal device that has sent anonymous ID, obtains under the situation of request receiving individual ID from the personal data management server; Whether control provides the condition that is stored in the individual ID in the above-mentioned storage area

Execution receives the processing of above-mentioned anonymous management with the login result of data from above-mentioned personal data management server,

Under the situation of login failure, carry out above-mentioned anonymous ID generation once more and handle and the transmission processing of anonymous management with data,

Under the login case of successful, carry out above-mentioned anonymous management with the processing in the storage area of data storage in client terminal device.

Images